OBSDOCS-1976: Document support for GCP, Azure, and AWS STP tokens

rubenvp8510 · max-cx · commit 70f413cd8052 · 2025-06-15T01:26:18.000+02:00
Signed-off-by: Ruben Vargas &lt;ruben.vp8510@gmail.com&gt;
diff --git a/modules/distr-tracing-tempo-object-storage-setup-aws-sts-cco-install.adoc b/modules/distr-tracing-tempo-object-storage-setup-aws-sts-cco-install.adoc
@@ -0,0 +1,130 @@
+// Module included in the following assemblies:
+//
+//* observability/distr_tracing/distr-tracing-tempo-installing.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="distr-tracing-tempo-object-storage-setup-aws-sts-install_{context}"]
+= Setting up the Amazon S3 storage with the Security Token Service
+
+You can set up the Amazon S3 storage with the Security Token Service (STS) by using the AWS Command Line Interface (AWS CLI).
+
+:FeatureName: The Amazon S3 storage with the Security Token Service
+include::snippets/technology-preview.adoc[leveloffset=+1]
+
+.Prerequisites
+
+* You have installed the latest version of the AWS CLI.
+* You have installed and configured Cloud Credential Operator in your cluster.
+
+.Procedure
+
+. Create an AWS S3 bucket.
+
+. Create the following `trust.json` file for the AWS IAM policy that will set up a trust relationship for the AWS IAM role, created in the next step, with the service account of the TempoStack instance:
++
+[source,yaml]
+----
+{
+    "Version": "2012-10-17",
+    "Statement": [
+      {
+        "Effect": "Allow",
+        "Principal": {
+          "Federated": "arn:aws:iam::${<aws_account_id>}:oidc-provider/${<oidc_provider>}" # <1>
+        },
+        "Action": "sts:AssumeRoleWithWebIdentity",
+        "Condition": {
+          "StringEquals": {
+            "${OIDC_PROVIDER}:sub": [
+              "system:serviceaccount:${<openshift_project_for_tempostack>}:tempo-${<tempostack_cr_name>}" # <2>
+              "system:serviceaccount:${<openshift_project_for_tempostack>}:tempo-${<tempostack_cr_name>}-query-frontend"
+           ]
+         }
+       }
+     }
+    ]
+}
+----
+<1> OIDC provider that you have configured on the {product-title}. You can get the configured OIDC provider value also by running the following command: `$ oc get authentication cluster -o json | jq -r '.spec.serviceAccountIssuer' | sed 's~http[s]*://~~g'`.
+<2> Namespace in which you intend to create the TempoStack instance.
+
+. Create an AWS IAM role by attaching the `trust.json` policy file that you created:
++
+[source,terminal]
+----
+$ aws iam create-role \
+      --role-name "tempo-s3-access" \
+      --assume-role-policy-document "file:///tmp/trust.json" \
+      --query Role.Arn \
+      --output text
+----
+
+. Attach an AWS IAM policy to the created role:
++
+[source,terminal]
+----
+$ aws iam attach-role-policy \
+      --role-name "tempo-s3-access" \
+      --policy-arn "arn:aws:iam::aws:policy/AmazonS3FullAccess"
+----
+. Configure Cloud Provider environment for the tempo operator. In the case of AWS STS we need to add ROLEARN environment variable to the operator subcription.
+[source,terminal]
+----
+$ oc patch subscription <TEMPO_OPERATOR_SUB> \ <1>
+          -n <TEMPO_OPERATOR_NAMESPACE> \ <2>
+          --type='merge' -p '{"spec": {"config": {"env": [{"name": "ROLEARN", "value": "'"<ROLE_ARN>"'"}]}}}' <3>
+
+----
+<1> Operator Subscription Name
+<2> Tempo Operator namespace
+<3> ARN of the role previously created.
+
+. In the {product-title}, create an object storage secret with keys as follows:
++
+[source,yaml]
+----
+apiVersion: v1
+kind: Secret
+metadata:
+  name: minio-test
+stringData:
+  bucket: <s3_bucket_name>
+  region: <s3_region>
+type: Opaque
+----
+. When TempoStack CR is created you need to specify the credentialMode as follows:
+[source,yaml]
+----
+apiVersion: tempo.grafana.com/v1alpha1
+kind: TempoStack
+metadata:
+  name: <name>
+  namespace: <tempo_ns>
+spec:
+  storage:
+    secret:
+      name: aws-sts
+      type: s3 <1>
+      credentialMode: token-cco <2>
+----
+<1> Currently this is the only backend supported togheter with CCO.
+<2> Credential mode should be set to token-cco.
++
+. For tempo monolithic will be similar:
+[source,yaml]
+----
+apiVersion: tempo.grafana.com/v1alpha1
+kind: TempoMonolithic
+metadata:
+  name: <name>
+  namespace: <tempo_ns>
+spec:
+  storage:
+    traces:
+      backend: s3 <1>
+      s3:
+        secret: aws-sts
+        credentialMode: token-cco <2>
+----
+<1> Currently this is the only backend supported togheter with CCO.
+<2> Credential mode should be set to token-cco.
diff --git a/modules/distr-tracing-tempo-object-storage-setup-azure-sts-install.adoc b/modules/distr-tracing-tempo-object-storage-setup-azure-sts-install.adoc
@@ -0,0 +1,99 @@
+// Module included in the following assemblies:
+//
+//* observability/distr_tracing/distr-tracing-tempo-installing.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="distr-tracing-tempo-object-storage-setup-azure-sts-install_{context}"]
+= Setting up the Azure storage with the Security Token Service
+
+You can set up Azure storage with the Security Token Service (STS) by using the Azure Command Line Interface (AZ CLI).
+
+:FeatureName: Azure storage with the Security Token Service
+include::snippets/technology-preview.adoc[leveloffset=+1]
+
+.Prerequisites
+
+* You have installed the latest version of the AWS CLI.
+* Created an Azure Storage Account.
+* Created an Azure Blob Storage Container.
+
+.Procedure
+. Create an Azure Managed identity
+[source,terminal]
+----
+az identity create \
+  --name <IDENTITY_NAME> \ <1>
+  --resource-group <RESOURCE_GROUP> \ <2>
+  --location <REGION> \ <3>
+  --subscription <SUBSCRIPTION_ID> <4>
+----
+<1> Name of the identity to be created.
+<2> The Azure resource group where the identity will be created.
+<3> The Azure region; it should be the same region as the resource group.
+<4> Azure subscription ID.
++
+. Create federated credentials. Federated credentials allow Kubernetes service accounts to authenticate as the Azure managed identity without storing secrets or using service principals. You need to create one per Kubernetes service account. In this case, the operator will create one service account for all components and one specific for the frontend component.
+[source,terminal]
+----
+az identity federated-credential create \
+  --name <CREDENTIAL_NAME> \ <1>
+  --identity-name <IDENTITY_NAME> \
+  --resource-group <RESOURCE_GROUP> \
+  --issuer <CLUSTER_ISSUER> \ <2>
+  --subject <TEMPO_SA_SUBJECT> \ <3>
+  --audiences <AUDIENCE> <4>
+----
+<1> Name of the federated credential.
+<2> The OIDC issuer URL of the Kubernetes cluster. You can get it using the following command: `oc get authentication cluster -o json | jq -r .spec.serviceAccountIssuer`
+<3> The Kubernetes service account subject, in the format: `system:serviceaccount:<namespace>:tempo-<tempo-instance-name>`
+<4> The expected audience used to validate tokens, commonly set to `api://AzureADTokenExchange`.
++
+Create frontend federated credential.
+[source,terminal]
+----
+az identity federated-credential create \
+  --name <CREDENTIAL_NAME>-frontend \ <1>
+  --identity-name <IDENTITY_NAME> \
+  --resource-group <RESOURCE_GROUP> \
+  --issuer <CLUSTER_ISSUER> \
+  --subject <TEMPO_SA_QUERY_FRONTEND_SUBJECT> \ <2>
+  --audiences <AUDIENCE> | jq
+----
+<1> Name of the federated credential.
+<2> The Kubernetes service account subject, in the format: `system:serviceaccount:<namespace>:tempo-<tempo-instance-name>`
++
+. Assign the "Storage Blob Data Contributor" role to the managed identity's service principal.
+[source,terminal]
+----
+az role assignment create \
+  --assignee <ASSIGNEE_NAME> \ <1>
+  --role "Storage Blob Data Contributor" \
+  --scope "/subscriptions/<SUBSCRIPTION_ID>
+----
+<1> Managed identity principal. Can be obtained with the following command: `az ad sp list --all --filter "servicePrincipalType eq 'ManagedIdentity'" | jq -r --arg idName <IDENTITY_NAME> '.[] | select(.displayName == $idName) | .appId'`
++
+. Fetch the client ID of the existing managed identity.
+[source,terminal]
+----
+CLIENT_ID=$(az identity show \
+  --name <IDENTITY_NAME> \
+  --resource-group <RESOURCE_GROUP> \
+  --query clientId \
+  -o tsv)
+----
++
+. Create a Kubernetes secret for Azure WIF.
+[source,terminal]
+----
+kubectl create -n <TEMPO_NAMESPACE> secret generic azure-secret \
+  --from-literal=container=<$AZURE_STORAGE_AZURE_CONTAINER> \ <1>
+  --from-literal=account_name=<AZURE_STORAGE_AZURE_ACCOUNTNAME> \ <2>
+  --from-literal=client_id=<CLIENT_ID> \ <3>
+  --from-literal=audience=<AUDIENCE> \ <4>
+  --from-literal=tenant_id=<TENANT_ID> <5>
+----
+<1> Azure Blob storage container.
+<2> Azure Storage account name.
+<3> Client ID of the managed identity (obtained in the previous step).
+<4> Audience, optional (defaults to `api://AzureADTokenExchange`).
+<5> Azure Tenant ID.
diff --git a/modules/distr-tracing-tempo-object-storage-setup-gcp-sts-install.adoc b/modules/distr-tracing-tempo-object-storage-setup-gcp-sts-install.adoc
@@ -0,0 +1,105 @@
+// Module included in the following assemblies:
+//
+//* observability/distr_tracing/distr-tracing-tempo-installing.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="distr-tracing-tempo-object-storage-setup-gcp-sts-install_{context}"]
+= Setting up the Google Cloud storage with the Security Token Service
+
+You can set up the Goocle Cloud Storage with the Security Token Service (STS) by using the Google Coud CLI.
+
+:FeatureName: The Amazon GCS storage with the Security Token Service
+include::snippets/technology-preview.adoc[leveloffset=+1]
+
+.Prerequisites
+
+* You have installed the latest version of the Google Cloud CLI.
+
+.Procedure
+
+. Create an GCS bucket.
+
+. Create an IAM service account. You can also use any existing IAM service account in any project in your organization.
+
++
+[source,terminal]
+----
+SERVICE_ACCOUNT_EMAIL=$(gcloud iam service-accounts create <IAM_SA_NAME> \  #<1>
+    --display-name="Tempo Account" \
+    --project <PROJECT_ID>  \ #<2>
+    --format='value(email)' \ 
+    --quiet)
+----
+<1> Service account name in Google Cloud.
+<2> Google Cloud Project ID in which the account will be created
+
+. Bind the required GCP roles to the created SA at the project level:
++
+[source,terminal]
+----
+$ gcloud projects add-iam-policy-binding <PROJECT_ID> \
+    --member "serviceAccount:$SERVICE_ACCOUNT_EMAIL" \
+  --role="roles/iam.workloadIdentityUser"
+
+$ gcloud projects add-iam-policy-binding <PROJECT_ID> \
+    --member "serviceAccount:$SERVICE_ACCOUNT_EMAIL" \
+    --role "roles/storage.objectAdmin"
+
+----
+. Retrieve the `POOL_ID` of the Google Cloud Workload Identity Pool associated with the OpenShift cluster.
++
+[source,terminal]
+----
+$ OIDC_ISSUER=$(oc get authentication.config cluster -o jsonpath='{.spec.serviceAccountIssuer}')
+
+$ POOL_ID=$(echo "$OIDC_ISSUER" | awk -F'/' '{print $NF}' | sed 's/-oidc$//')
+----
+.  Allow Kubernetes Service Accounts to impersonate the Google Service Account, SERVICE_ACCOUNT_EMAIL is the output of the commant used to created the service account in the step 2.
++
+[source,terminal]
+----
+$ gcloud iam service-accounts add-iam-policy-binding "$SERVICE_ACCOUNT_EMAIL" \
+  --role="roles/iam.workloadIdentityUser" \
+  --member="principal://iam.googleapis.com/projects/<PROJECT_NUMBER>/locations/global/workloadIdentityPools/<POOL_ID>/subject/system:serviceaccount:<TEMPO_NAMESPACE>:tempo-<TEMPO_NAME>" \
+  --project=<PROJECT_ID> \
+  --quiet
+
+$ gcloud iam service-accounts add-iam-policy-binding "$SERVICE_ACCOUNT_EMAIL" \
+  --role="roles/iam.workloadIdentityUser" \
+  --member="principal://iam.googleapis.com/projects/$PROJECT_NUMBER/locations/global/workloadIdentityPools/$POOL_ID/subject/system:serviceaccount:${TEMPO_NAMESPACE}:tempo-${TEMPO_NAME}-query-frontend" \
+  --project="$PROJECT_ID" \
+  --quiet
+----
+. Create credential file used by Tempo Stack, this will be in the key.json key in the storage secret:
++
+[source,terminal]
+----
+$ gcloud iam workload-identity-pools create-cred-config \
+    "projects/<PROJECT_NUMBER>/locations/global/workloadIdentityPools/$POOL_ID/providers/<PROVIDER_ID>" \
+    --service-account="$SERVICE_ACCOUNT_EMAIL" \
+    --credential-source-file=/var/run/secrets/storage/serviceaccount/token \
+    --credential-source-type=text \
+    --output-file=<OUTPUT_FILE_PATH> #<1>
+----
+<1> Path where the file will be writed
++
+Note: credential-source-file should be always point to /var/run/secrets/storage/serviceaccount/token, this is where the operator will mount the token
+. Get the correct audience as follows:
++
+[source,terminal]
+----
+gcloud iam workload-identity-pools providers describe "$PROVIDER_NAME" --format='value(oidc.allowedAudiences[0])'
+----
++
+. Create storage secret to be used by Tempo.
++
+[source,terminal]
+----
+kubectl -n <TEMPO_NAMESPACE> create secret generic gcs-secret \
+  --from-literal=bucketname="<BUCKET_NAME> \ #<1>
+  --from-literal=audience="<AUDIENCE> \      #<2>
+  --from-file=key.json=<OUTPUT_FILE_PATH>    #<3>
+----
+<1> Bucket name of the Google Cloud Storage
+<2> Audience we get in the previous step
+<3> This is the file we created with gcloud iam workload-identity-pools create-cred-config command.
diff --git a/observability/distr_tracing/distr-tracing-tempo-installing.adoc b/observability/distr_tracing/distr-tracing-tempo-installing.adoc
@@ -38,6 +38,12 @@ include::modules/distr-tracing-tempo-storage-ref.adoc[leveloffset=+1]
 
 include::modules/distr-tracing-tempo-object-storage-setup-aws-sts-install.adoc[leveloffset=+2]
 
+include::modules/distr-tracing-tempo-object-storage-setup-azure-sts-install.adoc[leveloffset=+2]
+
+include::modules/distr-tracing-tempo-object-storage-setup-gcp-sts-install.adoc[leveloffset=+2]
+
+include::modules/distr-tracing-tempo-object-storage-setup-aws-sts-cco-install.adoc[leveloffset=+2]
+
 [role="_additional-resources"]
 .Additional resources
 
